Styxy Cool Exploit Kit is a particular kit because it is a "merge" between Cool and Styxy Exploit Kit. Here we are going to cover only Java related exploits so, if you want to know what vulnerabilities it has and why its called Styxy Cool go check Kafeine's post  here . Between the eight and nine of July two interesting things happened: Jar size increased from 5Kb to 28 Kb Payload (Reveton) disappeared from fiddler  Let's take a step back and analyze the exploit chain from the eight of July. The first page /abortion-success_conductor.php  displays a bounch of phrases about Yahoo France, but what really does is checking if you have some vulnerable Java plugin installed in your browser. The page contains an instance of PluginDetect version 0.8 plus an obfuscated JavaScript code. What does this code do ? It takes the content of the textarea from / objection_confident_sulphur.html since in the middle of the first page there is an iframe pointin...

Image a scenario where someone wants to target your computer to get access to your files. This task can be accomplished in several ways and one of them is using a java exploit on a crafted/compromised website. What i want to test is how AntiVirus manage "unknown" threads or forbidden behavior (an unsigned applet shouldn't be allowed to download files to your local disk). This test is based on basic/home/free products like Symantec AntiVirus and not Symantec Internet Security which has more features. Some companies provide only Internet Security suites so this cannot be a fully comparison between these products. I tried to test all AntiVirus in this list but i came out with only 32, because some of them don't provide a free trial and the others i was unable to find it or install it. The important thing is that i covered all major/popular AntiVirus. Testing machine is a Windows 7 SP1 32 bit fully patched on Virtualbox with Java SE 7 update 15 an...

At the beginning of the past week @EKWatcher  has spotted Cool Exploit Kit using Java 7 update 11 vulnerability (CVE-2013-0431). This vulnerability was already reported by Security Explorations on seclist few days after Oracle issued update 11. I decided take a look at it. I found a website infected by Cool EK that after a successfull exploitation dropped Reveton into " C:\Documents and Settings\<usarname>\Application Data " folder on Windows XP. The applet used by Cool EK was named would-blood.jar and once opened with JD-GUI the result was this. As you can see it's obfuscated, not heavily but obfuscated. The first thing to do when you want to start deobfuscating an applet is to find the init() function which is the "starting point" and cannot be changed. Remember that for serialized applets the starting point is a function called start() instead of init(). The init function is inside  hw class. It's immediately evident that al...

A couple of hours ago @Kafeine discovered a new java 0 day exploit in the wild. This exploit is served by most exploit kits like Blackhole, Cool exploit kit and Nuclear pack.When the malicious applet is executed its download and execute a copy of Zeus. A curious thing is that Zbot comes with a self signed digital certificate. But detection rate is quite good with 12/46 link . The jar file has been dropped by Blackhole so it's heavily obsfuscated by some commercial obfuscator and is detected by 5/46 link . You can find both files here . (password is: malware) If you want to read more take a look at kafeine's blog post . -- Update Working Poc here . Quick video to show you this PoC against Avira Free antivirus